nanog mailing list archives
Re: Firewalls in service provider environments
From: "Matthew Reath" <matt () mattreath com>
Date: Wed, 8 Feb 2012 13:28:41 -0600
On Wed, Feb 8, 2012 at 9:25 AM, Matthew Reath <matt () mattreath com> wrote:Good point. Adding in an established entry, although may open you up for TCP/SYN sort of packets is a better trade off than affecting customer traffic.'established' is explicitly NOT 'syn' ... maybe you meant 'ack flood' ? (or rst flood? or .... but certainly not syn flood)
If I had an 'established' entry on an inbound ACL to filter traffic coming from my upstream provider wouldn't SYN ACK (2nd step in handshake) packets be allowed to pass the ACL because of this? But I see your point a connection initiation from external sources with just the SYN flag set would not be allowed. However if a session is initiated internally the returning SYN ACK from the external server would be allowed as would ACK and data packets with ACK set.
Current thread:
- Firewalls in service provider environments Matthew Reath (Feb 07)
- RE: Firewalls in service provider environments Leigh Porter (Feb 07)
- RE: Firewalls in service provider environments Matthew Reath (Feb 07)
- Re: Firewalls in service provider environments William Herrin (Feb 07)
- Re: Firewalls in service provider environments Matthew Reath (Feb 07)
- Re: Firewalls in service provider environments Matt Buford (Feb 07)
- Re: Firewalls in service provider environments Matthew Reath (Feb 08)
- Re: Firewalls in service provider environments Christopher Morrow (Feb 08)
- Re: Firewalls in service provider environments Matthew Reath (Feb 08)
- Re: Firewalls in service provider environments Henry Yen (Feb 08)
- Re: Firewalls in service provider environments David Walker (Feb 09)
- RE: Firewalls in service provider environments Matthew Reath (Feb 07)
- RE: Firewalls in service provider environments Leigh Porter (Feb 07)
- RE: Firewalls in service provider environments George Bonser (Feb 07)
- Re: Firewalls in service provider environments Jared Mauch (Feb 07)
- Re: Firewalls in service provider environments Suresh Ramasubramanian (Feb 07)
- Re: Firewalls in service provider environments Steve Bertrand (Feb 07)
- Re: Firewalls in service provider environments Suresh Ramasubramanian (Feb 07)